AWSTemplateFormatVersion: '2010-09-09'
Description: 'Creates SecurityAccessRole in delegated admin account'

Parameters:
  DelegatedAdminAccountId:
    Type: String
    AllowedPattern: '^\d{12}$'

Resources:
  SecurityAccessRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: SecurityAccessRole
      Description: Role to allow delegated admin account principals to assume security access roles
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${DelegatedAdminAccountId}:root
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: AssumeSecurityAccessRoleInOtherAccounts
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: sts:AssumeRole
                Resource: !Sub arn:aws:iam::*:role/SecurityAccessRole
      MaxSessionDuration: 3600

Outputs:
  RoleArn:
    Description: ARN of the SecurityAccessRole
    Value: !GetAtt SecurityAccessRole.Arn